Critical vulnerability in Divx Web player closed
Users with older versions of the DivX software are advised to update to the latest version in order to patch a critical security vulnerability. According to the security service provider Secunia, older versions of the DivX Web Player, which allows users to play videos directly in their browser, contain an error in the processing of Stream Format chunks that can be exploited to cause a heap-based buffer overflow. A successful attack could lead to the execution of arbitrary code.
For an attack to be successful, an attacker must convince a user to open a specially crafted DivX file or web page stream. Version 188.8.131.52 fixes the problem and is included in a bundle update. According to Secunia, the update has been available for download since mid-March. It is unclear as to why the report has only now been published.
Users are advised to run an update manager tool to make sure that their systems are always up-to-date with the newest versions of installed software. Applications such as Secunia's Personal Software Inspector (PSI) or FileHippo's Update Checker are available for Windows-based systems to help ensure that installed software is always patched.
The complete DivX and DivX Pro packages, which include the Web Player as a component, are now at version 7. The latest version of the DivX Web Player is available to download free for non-commercial use for Microsoft Windows and Apple Mac.
- DivX Web Player Stream Format Chunk Buffer Overflow, advisory from Secunia.
- Personal Software Inspector, Secunia PSI page.
- Web Player's blog, DivX Web Player page.